ThingLink GDPR Compliance

The EU General Data Protection Regulation (GDPR) is now in full effect as of May 25th, 2018. We at ThingLink have clarified our Privacy Policy and Terms of Service to let you know about your rights under this new regulation. Please read and familiarize yourself with them, as you will need to accept them before you continue to use ThingLink.

Note that we won’t be sending you an email asking you to stay on our mailing lists, because we already asked about that when you first signed up. If you chose to opt-out at that point, we’re not going to bother you unless it’s about invoices or technical problems. Remember that you can always change your preferences in your account settings. Our monthly email is a good source of information about product updates and inspiration from our community.

The biggest visible change to you that GDPR brings is this: Your images and videos that contain third party embedded content will be showing a popup detailing all the domains that the viewers information may be sent to so that the user can give informed consent. This lets you continue embedding Thinglink content with confidence that your own customers have their privacy protected.

A note to Pro and Premium users: If you have your own GDPR consent scheme in place on your own site, you can turn off the Thinglink GDPR notification in your account settings under Advanced Media Settings.

Implementing GDPR is quite an ordeal for a small company. Luckily, because Thinglink is a Finnish company and has already been subject to EU legislation for quite some time, the necessary changes that we had to do were mostly just about going through our practices, legal documents, and writing everything up. Among the things that we have done are:

1. We internalized all of the Javascript and CSS that we were previously using third party CDNs for (jsdlivr, Google, MaxCDN, etc.) and are now serving all of them from our own infrastructure. This means that your IP address isn’t being leaked all over the place as your browse Thinglink images.

2. We reviewed all the data we were sending to different analytics services and deleted anything that we didn’t absolutely need, and pseudonymized the rest. Pseudonymization is done also on a per-service basis, so even if two services combined, they wouldn’t be able to figure out who is who.

4. We checked all external services for GDPR compliance and removed the ones that we weren’t actively using anymore or could be replaced with GDPR-compliant ones.

5. We went through our codebase and added tests to check that when you delete an account, we really do go delete your data from external services as well (where applicable). The good thing is that GDPR compliance means that companies offering services do have to provide an API for this as well, so it’s now actually possible to do that.

7. We brought our password and signup handling in compliance to NIST 800-63-3 Authenticator Assurance Level (AAL) 1 -standard. This means e.g. that the minimum password length is now 8 characters and we do check on people trying to use “12345678” as their password.

8. We rewrote our Privacy Policy and our Terms of Service to be GDPR -compliant. Now they address the terms for underage users a lot better than before.

9. We added a new section about our Privacy Architecture to our Terms of Service-page to describe more exactly what kind of data we collect and where, and how we store and treat your data.

10. The topic of third-party embeds on images was the most interesting: The main issue with embedding content in a Thinglinked image is that upon viewing the image, your data is shared with the embedded site – if you embed a YouTube video, YouTube sees when the video opens without you getting a say on the matter. So after looking at different options, we decided to add a new consent screen on images and videos: if, the act of viewing and exploring the image would cause data to be shared with another site, we let you know before you proceed. We store the consent for some time, so you don’t have to keep clicking “Accept” every time you watch the image.

11. Finally, we trained the sales, support and developer staff about GDPR.

All in all, GDPR is a good thing, even though for the past few months it’s been a bit laborious. It enforces common, good practices and makes the Internet hopefully a bit better place for people.

If you have any questions about ThingLink’s compliance with GDPR, please reach out to support@thinglink.com!